[nycbug-talk] fave BSD tips/tricks?

Jerry B. Altzman jbaltz at 3phasecomputing.com
Wed Aug 26 10:14:52 EDT 2009


on 8/26/2009 2:10 AM Miles Nordin said the following:
>>>>>> "il" == Isaac Levy <isaac at diversaform.com> writes:
>>>>>> "cs" == Charles Sprickman <spork at bway.net> writes:
> which points were strong?  or by strong did you mean strong opinions,
> in that neither one of us was the slightest bit swayed by the other,
> and has if anything less respect for the other than when he began?

Well, I did love the ph33rst4mpz post.

> I said something like ``kernel code, setuid binaries, and listening
> daemons matter because they are exposed to attackers.  For ordinary
> userspace programs, programs you don't run are no less secure than
> programs that aren't installed, because the attacker can just upload
> whatever code he needs.  Not installing a compiler inconveniences you

If it takes him more time, if it's harder, then better.

> more than the attacker, and `inconvenience the attacker' should not be
> the goal of your security anyway.''  There's no whiteboard involved in

You could make a whole scarecrow out of that straw man argument. I never 
said that it's the *GOAL* of my security, but it is PART of it.

> Jerry said something like, ``yeah well every little bit you can
> hypothetically slow down a particular specific kind of attacker is
> Good so I see no need to change my rituals.''  His model is to

How is this better than you refusing to change yours?
Yes: everything you do to increase the cost of attack on you is better. 
(For an interesting proof of this, witness the success of graylisting.)

> basically leave clutter all over the place, slowing down attackers and
> legitimate users alike.  just slow down everything.  It's so obviously
> dumb.

Once again, how can you have MORE clutter when FEWER things are there? 
It's an interesting metaphor, but it's totally wrong.
YOUR tools to do you work aren't there...so you have to bring your own 
(just like any other visitor)...and presumably you'd have to clean up 
after yourself.
WE had methods in place to deploy software to OUR production servers 
that didn't require an entire development toolset to be available. It 
worked wonderfully.

> Shall we ``model'' it further?  Most attacks are automated, so unless
> you're the lucky FIRST GUY on which the attack's designed, it won't
> matter how much you do or don't slow down his development because the
> attack will already be scripted and replicated by the time you face
> it.  It's unlikely you'll even slow down the first victim, because the
> attacker will almost certainly build his own machine to attack first,
> because when you are trying to develop the exploit you keep getting it
> wrong over and over which crashes the victim daemon, so you have to
> restart the daemon, and if you practice on a real victim he'll get
> wise.

Right. But there are other forms of attack as well -- leaving around 
detritus, or compromised tools, or ... and not all attackers are as 
smart as you've made them out to be.

The fewer things I have to audit/examine/confirm, the better from a 
security standpoint.
The fewer things I have to maintain and monitor for security updates, 
the better.

> seriously, minified systems are end-to-end dumb.

Seriously, minified systems are end-to-end smart. "Least privilege", 
YAGNI, and whatnot.

>     il> I see no fundamental 'right' in either side of the points
>     il> argued, Miles keeps his compiler, and Jerry deletes his. 
> I just hate these ``can't we all just get along'' posts.  What for?

Gee, Miles, on this we agree.

Miles thinks I'm stupid -- at least in this regard.
I think Miles is stupid -- at least in this regard.

I don't post here to sway Miles. It's clear that he's thought about 
this, at least minimally, as have I. I post here to sway others who 
might be reading. I won't try to speak for Miles; he is eminently 
capable of speaking for himself.

//jbaltz
-- 
jerry b. altzman  jbaltz at 3phasecomputing.com  +1 718 763 7405



More information about the talk mailing list